I finally had time and a use case to build this idea that I had some years ago.
The idea is pretty simple.
I wanted to have a USB flash drive that is network connected to allow adding files remotely while the drive is
connected to a device such as a SmartTV. Basically this would allow any device that is capable of
reading files from USB flash drive to have access to data stored on the network.

For the first version of this project I used a Raspberry Pi Zero W. The PiZW comes with a USB OTG port, Wifi, and runs of a mini SDcard. So we have USB client (to emulate a USB mass storage device), Wifi (for network connectivity), and the SDcard for the actual storage.

The current implementation basically is a small linux system that takes up a tiny part of the SD card, the rest of the SD card is used to emulate the USB flash drive. The linux system automatically connects to my WiFi network. You can transfer files to the SD card via SCP. The trick of the system is that you can soft plug and un-plug the USB drive via SSH. This means you simply run a command to enable or disable the mass storage emulation, this will look like an plug or un-plug event to the device the PiZW is connected to.

I used Buildroot for this project, I created a repository that allows you to build this entire device for yourself.
My Buildroot repository contains all the scripts and settings to enable USB OTG and device switching.
The repository can be found here: github.com/crmulliner/usbnetstore.

After finishing this project I found the SanDisk Wireless Stick basically a USB flash drive with built-in Wifi. Sadly it turns out you can't switch between WiFi and USB using their app (it comes with a mobile app). This means as long as it detects a USB connection it will not allow Wifi Access. Therefore, the SanDisk device is not sufficient for my use case.

My SanDisk Wireless Stick also stopped charging after a week or so (and thus became a brick). I disassembled it and
found that the storage is provided by a SD card. The device is actually made by AirStash and sadly does NOT run Linux and therefore is not easily modifiable.

Below some pictures of this project:
One USB connector for power and one USB connector for the flash drive.

It has been a while since I wrote anything on this blog (October 2017 to be specific) and it will be
a bit until I start doing blog posts on a regular basis again. This has multiple reasons. First, I'm not doing the mobile
security update anymore since I have kinda stopped working in mobile security space. Second, I'm working
on super fun things at the moment and therefore don't have time or energy to work on side projects.
Some in progress long term projects will be continued. Third, I will likely attend fewer conferences this
year since I'm spending time on different aspects of security research.

Quick conference review: both 44con and ekoparty were great. Ekoparty was especially awesome since I got to check the last continent off my list. Also the size of ekoparty was way beyond what I was expecting. They managed to have a really good
conference that is professionally run while stilling maintaining the vibe of a hacker / underground con <3

Two weeks ago there was a post on Medium about two companies that provide a mobile identification service. That
service basically can be used to convert your phone's IP address into real information about the owner of the phone (the contract owner). This is done via APIs that are provided by multiple Mobile Network Operators (such as AT&T). The medium article linked to demo pages of those two service providers (payfone and danal inc) that show not only your phone number but also your operator's name, your name and address.

I played with the two demo sites for a bit (while they were still online - offline now). I'm on Google Fi with a number proted from T-Mobile (pre-paid). Payfone only had my phonenumber and old carrier (T-Mobile) while Danal inc showed no data at all. I never provided any data to T-Mobile since it is not required for a pre-paid card. Google has all the data but likely does not share it with 3rd parties.

Overall this is a service that I really don't want to exist. I don't want an abritary company to be able to identify me
while visiting their website from my mobile phone. I hope those companies don't just sell their services to anybody.
Read the Medium article again: AT&T consumer choice opt-out doesn't affect this!

iOS 11 the tragedy continues: 11.0 had a bunch of flaws that were annyoing. Now 11.0.3 randomly frezzes my phone for minutes. Also I have some issues with voice call audio not working sometimes. Highly disaspointing!

since I always rant about how I don't like biometrics in smartphones some people have asked me to formulate what I actually would like to see to happen in this area.

My dislike for biometrics is that you cannot change your password anymore because your password is your finger, eye (iris), or face. That means you basically show you password to everybody. A good example of this is here: Politician's fingerprint 'cloned from photos' by hacker.

The second part of the problem is that many biometric systems can be easily bypassed, some face recognition systems even with a picture shown on a smartphone screen.

The main argument I always hear is that people who wouldn't set a password (or use just a simple PIN) are using biometrics and therefore are more secure now with the help of biometrics. The kid from the previous story wasn't stopped by biometrics it was just as good as not having a password.

What would have stopped the kid from unlocking his dad's phone? A simple timeout! Basically what I want to see is a timeout for your biometrics. Once you entered your password you can unlock your phone using biometrics, after a specific amount of time you have to re-enter your password and cannot unlock the device using biometrics.
With a timeout of say 30 minutes to one hour you can prevent simple attacks while still being able to use the convenience of biometrics. Apple recently introduced the SOS mode that will also disable biometric authentication until you enter your password. I wish this was taken one step further and let you set a timeout.

I personally see biometrics on a smartphone as a pure convenience feature and treat it as a weak security feature. I only use it for ApplePay.

I think it is pretty bad to get people used to biometric authentication, Apple may get it right but other companies wont. Normal users can't determine this easily. Also how much did the additional hardware components cost to implement
fingerprint authentication or face recognition. FaceID doesn't use a normal camera so there are definitely additional
costs that you as the user have to pay for this convenience feature.

Face recognition in consumer products also gets people to accept this as
an normal everyday thing and thus helps the argument for face recognition being used in surveillance.

Some comments on BlueBorne: I've been involved with Bluetooth security
since like forever (not active in the last 10+ years). The early Bluetooth vulnerabilities were mostly logic
bugs and issues such as missing authentication. Bluetooth devices could not be set to hidden and would always show
up when scanning for devices. Stuff like that. BlueBorne is different as it is a remote exploitable memory
corruption vulnerability in Linux, Android, and Windows. This is quite a novelty since we haven't seen a bug
that is more ore less the same on two platforms. Even more interesting is that this bug is pre-authentication and
gives you kernel privileges (code exec in the kernel).

In theory this set of vulnerabilities can be bad, bad. In practice the issue is much less of an issue.
Exploit mitigations and built variances help mitigating the risk.
Devices are not always visible therefore the attacker cannot easily find your device and attack it.

FaceID: I think it is a really horrible idea! Do not put biometric systems in to consumer products ever! I will not buy products with mandatory biometrics
so far iOS allows me to turn it off and use a passphrase - thats why I even consider buying iOS devices. I hate this change -- biometrics are bad.

Pics:

Huh, here I was looking to get a phone similar to Walmarts in-store model... And eBay just has their actual in-store model... Perfect! pic.twitter.com/sq4pUtCBe3

HITB Singapore August 21-25.
The Original Elevat0r - History of a Private Jailbreak by Stefan Esser.
The Nightmare of Fragmentation: A Case Study of 200+ Vulnerabilities in Android Phones by BAI GUANGDONG and ZHANG QING.

Tencent Security Conference, August 30-31.
Pointer Authentication by Robert James Turner.
Finding iOS vulnerabilities in an easy way by Tiefel Wang and Hao Xu.
Bare-metal program tracing on ARM by Ralf-Philipp Weinmann.

44con 13-15 September London, UK.
Inside Android's SafetyNet Attestation: What it can and can't do lessons learned from a large scale deployment by Collin Mulliner.

It was good to see everybody in Vegas, even better meeting new people. Especially some folks I wanted to meet
for a long time. I had a good time at WOOT, meeting old friends was especially good. Maybe it helped that it
was in the CanSecWest hotel. I link a few relevant papers below.

Stefan Esser is running a kickstarter for an iOS Kernel Exploitation Training Course for Development of a freely available online iOS kernel exploitation training course based on iOS 9.3.5 on 32 bit devices. If you are into iOS security you should support Stefan's project!